cipherstash-pg 1.0.0.beta.1-x86_64-darwin-21

data/certs/larskanis-2022.pem

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIETTCCArWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1sYXJz
+L0RDPWdyZWl6LXJlaW5zZG9yZi9EQz1kZTAeFw0yMjAyMTQxMzMwNTZaFw0yMzAy
+MTQxMzMwNTZaMCgxJjAkBgNVBAMMHWxhcnMvREM9Z3JlaXotcmVpbnNkb3JmL0RD
+PWRlMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwum6Y1KznfpzXOT/
+mZgJTBbxZuuZF49Fq3K0WA67YBzNlDv95qzSp7V/7Ek3NCcnT7G+2kSuhNo1FhdN
+eSDO/moYebZNAcu3iqLsuzuULXPLuoU0GsMnVMqV9DZPh7cQHE5EBZ7hlzDBK7k/
+8nBMvR0mHo77kIkapHc26UzVq/G0nKLfDsIHXVylto3PjzOumjG6GhmFN4r3cP6e
+SDfl1FSeRYVpt4kmQULz/zdSaOH3AjAq7PM2Z91iGwQvoUXMANH2v89OWjQO/NHe
+JMNDFsmHK/6Ji4Kk48Z3TyscHQnipAID5GhS1oD21/WePdj7GhmbF5gBzkV5uepd
+eJQPgWGwrQW/Z2oPjRuJrRofzWfrMWqbOahj9uth6WSxhNexUtbjk6P8emmXOJi5
+chQPnWX+N3Gj+jjYxqTFdwT7Mj3pv1VHa+aNUbqSPpvJeDyxRIuo9hvzDaBHb/Cg
+9qRVcm8a96n4t7y2lrX1oookY6bkBaxWOMtWlqIprq8JZXM9AgMBAAGjgYEwfzAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQUOIdbSMr3VFrTCO9/cTM0
+0exHzBcwIgYDVR0RBBswGYEXbGFyc0BncmVpei1yZWluc2RvcmYuZGUwIgYDVR0S
+BBswGYEXbGFyc0BncmVpei1yZWluc2RvcmYuZGUwDQYJKoZIhvcNAQELBQADggGB
+AFWP7F/y3Oq3NgrqUOnjKOeDaBa7AqNhHS+PZg+C90lnJzMgOs4KKgZYxqSQVSab
+SCEmzIO/StkXY4NpJ4fYLrHemf/fJy1wPyu+fNdp5SEEUwEo+2toRFlzTe4u4LdS
+QC636nPPTMt8H3xz2wf/lUIUeo2Qc95Qt2BQM465ibbG9kmA3c7Sopx6yOabYOAl
+KPRbOSEPiWYcF9Suuz8Gdf8jxEtPlnZiwRvnYJ+IHMq3XQCJWPpMzdDMbtlgHbXE
+vq1zOTLMSYAS0UB3uionR4yo1hLz60odwkCm7qf0o2Ci/5OjtB0a89VuyqRU2vUJ
+QH95WBjDJ6lCCW7J0mrMPnJQSUFTmufsU6jOChvPaCeAzW1YwrsP/YKnvwueG7ip
+VOdW6RitjtFxhS7evRL0201+KUvLz12zZWWjOcujlQs64QprxOtiv/MiisKb1Ng+
+oL1mUdzB8KrZL4/WbG5YNX6UTtJbIOu9qEFbBAy4/jtIkJX+dlNoFwd4GXQW1YNO
+nA==
+-----END CERTIFICATE-----

data/cipherstash-pg.gemspec

@@ -0,0 +1,31 @@
+# This gemspec replaces cipherstash-pg.gemspec when the FAT gems are built.
+# It is not used when the ABI-specific gems are built.
+
+# frozen_string_literal: true
+# -*- encoding: utf-8 -*-
+
+require_relative 'lib/pg/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "cipherstash-pg"
+  spec.version       =  "1.0.0.beta.1"
+  spec.authors       = ["CipherStash"]
+  spec.email         = ["engineers@cipherstash.com"]
+
+  spec.summary       = "CipherStash PG is a drop in replacement of PG that provides transparent data encryption"
+  spec.description   = "CipherStash PG is a drop in replacement of PG that provides transparent data encryption, with a PG-compatible API"
+  spec.homepage      = "https://github.com/cipherstash/cipherstash-pg"
+  spec.license       = "BSD-2-Clause"
+  spec.required_ruby_version = ">= 2.7"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/cipherstash/cipherstash-pg"
+  spec.metadata["documentation_uri"] = "http://deveiate.org/code/pg"
+
+  spec.platform = Gem::Platform::CURRENT
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `find .`.lines.map{|line| line.strip}.reject{|line| line == "" || [".", ".."].include?(line)}
+  end
+  spec.require_paths = ["lib"]
+end

data/lib/cipherstash-pg.rb

@@ -0,0 +1,15 @@
+require_relative './pg'
+
+module CipherStash
+  module PG
+    DB_EXT_DIR = File.join(__dir__, '../vendor/database-extensions')
+
+    def self.install_script
+      File.read(File.join(DB_EXT_DIR, "install.sql"))
+    end
+
+    def self.uninstall_script
+      File.read(File.join(DB_EXT_DIR, "uninstall.sql"))
+    end
+  end
+end

data/lib/pg/basic_type_map_based_on_result.rb

@@ -0,0 +1,47 @@
+# -*- ruby -*-
+# frozen_string_literal: true
+
+require 'pg' unless defined?( PG )
+
+# Simple set of rules for type casting common PostgreSQL types from Ruby
+# to PostgreSQL.
+#
+# OIDs of supported type casts are not hard-coded in the sources, but are retrieved from the
+# PostgreSQL's +pg_type+ table in PG::BasicTypeMapBasedOnResult.new .
+#
+# This class works equal to PG::BasicTypeMapForResults, but does not define decoders for
+# the given result OIDs, but encoders. So it can be used to type cast field values based on
+# the type OID retrieved by a separate SQL query.
+#
+# PG::TypeMapByOid#build_column_map(result) can be used to generate a result independent
+# PG::TypeMapByColumn type map, which can subsequently be used to cast query bind parameters
+# or #put_copy_data fields.
+#
+# Example:
+#   conn.exec( "CREATE TEMP TABLE copytable (t TEXT, i INT, ai INT[])" )
+#
+#   # Retrieve table OIDs per empty result set.
+#   res = conn.exec( "SELECT * FROM copytable LIMIT 0" )
+#   # Build a type map for common ruby to database type encoders.
+#   btm = PG::BasicTypeMapBasedOnResult.new(conn)
+#   # Build a PG::TypeMapByColumn with encoders suitable for copytable.
+#   tm = btm.build_column_map( res )
+#   row_encoder = PG::TextEncoder::CopyRow.new type_map: tm
+#
+#   conn.copy_data( "COPY copytable FROM STDIN", row_encoder ) do |res|
+#     conn.put_copy_data ['a', 123, [5,4,3]]
+#   end
+# This inserts a single row into copytable with type casts from ruby to
+# database types.
+class PG::BasicTypeMapBasedOnResult < PG::TypeMapByOid
+	include PG::BasicTypeRegistry::Checker
+
+	def initialize(connection_or_coder_maps, registry: nil)
+		@coder_maps = build_coder_maps(connection_or_coder_maps, registry: registry)
+
+		# Populate TypeMapByOid hash with encoders
+		@coder_maps.each_format(:encoder).flat_map{|f| f.coders }.each do |coder|
+			add_coder(coder)
+		end
+	end
+end

data/lib/pg/basic_type_map_for_queries.rb

@@ -0,0 +1,193 @@
+# -*- ruby -*-
+# frozen_string_literal: true
+
+require 'pg' unless defined?( PG )
+
+# Simple set of rules for type casting common Ruby types to PostgreSQL.
+#
+# OIDs of supported type casts are not hard-coded in the sources, but are retrieved from the
+# PostgreSQL's pg_type table in PG::BasicTypeMapForQueries.new .
+#
+# Query params are type casted based on the class of the given value.
+#
+# Higher level libraries will most likely not make use of this class, but use their
+# own derivation of PG::TypeMapByClass or another set of rules to choose suitable
+# encoders and decoders for the values to be sent.
+#
+# Example:
+#   conn = PG::Connection.new
+#   # Assign a default ruleset for type casts of input and output values.
+#   conn.type_map_for_queries = PG::BasicTypeMapForQueries.new(conn)
+#   # Execute a query. The Integer param value is typecasted internally by PG::BinaryEncoder::Int8.
+#   # The format of the parameter is set to 0 (text) and the OID of this parameter is set to 20 (int8).
+#   res = conn.exec_params( "SELECT $1", [5] )
+class PG::BasicTypeMapForQueries < PG::TypeMapByClass
+	# Helper class for submission of binary strings into bytea columns.
+	#
+	# Since PG::BasicTypeMapForQueries chooses the encoder to be used by the class of the submitted value,
+	# it's necessary to send binary strings as BinaryData.
+	# That way they're distinct from text strings.
+	# Please note however that PG::BasicTypeMapForResults delivers bytea columns as plain String
+	# with binary encoding.
+	#
+	#   conn.type_map_for_queries = PG::BasicTypeMapForQueries.new(conn)
+	#   conn.exec("CREATE TEMP TABLE test (data bytea)")
+	#   bd = PG::BasicTypeMapForQueries::BinaryData.new("ab\xff\0cd")
+	#   conn.exec_params("INSERT INTO test (data) VALUES ($1)", [bd])
+	class BinaryData < String
+	end
+
+	class UndefinedEncoder < RuntimeError
+	end
+
+	include PG::BasicTypeRegistry::Checker
+
+	# Create a new type map for query submission
+	#
+	# Options:
+	# * +registry+: Custom type registry, nil for default global registry
+	# * +if_undefined+: Optional +Proc+ object which is called, if no type for an parameter class is not defined in the registry.
+	def initialize(connection_or_coder_maps, registry: nil, if_undefined: nil)
+		@coder_maps = build_coder_maps(connection_or_coder_maps, registry: registry)
+		@array_encoders_by_klass = array_encoders_by_klass
+		@encode_array_as = :array
+		@if_undefined = if_undefined || proc { |oid_name, format|
+			raise UndefinedEncoder, "no encoder defined for type #{oid_name.inspect} format #{format}"
+		}
+		init_encoders
+	end
+
+	# Change the mechanism that is used to encode ruby array values
+	#
+	# Possible values:
+	# * +:array+ : Encode the ruby array as a PostgreSQL array.
+	#   The array element type is inferred from the class of the first array element. This is the default.
+	# * +:json+ : Encode the ruby array as a JSON document.
+	# * +:record+ : Encode the ruby array as a composite type row.
+	# * <code>"_type"</code> : Encode the ruby array as a particular PostgreSQL type.
+	#   All PostgreSQL array types are supported.
+	#   If there's an encoder registered for the elements +type+, it will be used.
+	#   Otherwise a string conversion (by +value.to_s+) is done.
+	def encode_array_as=(pg_type)
+		case pg_type
+			when :array
+			when :json
+			when :record
+			when /\A_/
+			else
+				raise ArgumentError, "invalid pg_type #{pg_type.inspect}"
+		end
+
+		@encode_array_as = pg_type
+
+		init_encoders
+	end
+
+	attr_reader :encode_array_as
+
+	private
+
+	def init_encoders
+		coders.each { |kl, c| self[kl] = nil } # Clear type map
+		populate_encoder_list
+		@textarray_encoder = coder_by_name(0, :encoder, '_text')
+	end
+
+	def coder_by_name(format, direction, name)
+		check_format_and_direction(format, direction)
+		@coder_maps.map_for(format, direction).coder_by_name(name)
+	end
+
+	def undefined(name, format)
+		@if_undefined.call(name, format)
+	end
+
+	def populate_encoder_list
+		DEFAULT_TYPE_MAP.each do |klass, selector|
+			if Array === selector
+				format, name, oid_name = selector
+				coder = coder_by_name(format, :encoder, name).dup
+				if coder
+					if oid_name
+						oid_coder = coder_by_name(format, :encoder, oid_name)
+						if oid_coder
+							coder.oid = oid_coder.oid
+						else
+							undefined(oid_name, format)
+						end
+					else
+						coder.oid = 0
+					end
+					self[klass] = coder
+				else
+					undefined(name, format)
+				end
+			else
+
+				case @encode_array_as
+					when :array
+						self[klass] = selector
+					when :json
+						self[klass] = PG::TextEncoder::JSON.new
+					when :record
+						self[klass] = PG::TextEncoder::Record.new type_map: self
+					when /\A_/
+						coder = coder_by_name(0, :encoder, @encode_array_as)
+						if coder
+							self[klass] = coder
+						else
+							undefined(@encode_array_as, format)
+						end
+					else
+						raise ArgumentError, "invalid pg_type #{@encode_array_as.inspect}"
+				end
+			end
+		end
+	end
+
+	def array_encoders_by_klass
+		DEFAULT_ARRAY_TYPE_MAP.inject({}) do |h, (klass, (format, name))|
+			h[klass] = coder_by_name(format, :encoder, name)
+			h
+		end
+	end
+
+	def get_array_type(value)
+		elem = value
+		while elem.kind_of?(Array)
+			elem = elem.first
+		end
+		@array_encoders_by_klass[elem.class] ||
+				elem.class.ancestors.lazy.map{|ancestor| @array_encoders_by_klass[ancestor] }.find{|a| a } ||
+				@textarray_encoder
+	end
+
+	DEFAULT_TYPE_MAP = {
+		TrueClass => [1, 'bool', 'bool'],
+		FalseClass => [1, 'bool', 'bool'],
+		# We use text format and no type OID for numbers, because setting the OID can lead
+		# to unnecessary type conversions on server side.
+		Integer => [0, 'int8'],
+		Float => [0, 'float8'],
+		BigDecimal => [0, 'numeric'],
+		Time => [0, 'timestamptz'],
+		# We use text format and no type OID for IPAddr, because setting the OID can lead
+		# to unnecessary inet/cidr conversions on the server side.
+		IPAddr => [0, 'inet'],
+		Hash => [0, 'json'],
+		Array => :get_array_type,
+		BinaryData => [1, 'bytea'],
+	}
+
+	DEFAULT_ARRAY_TYPE_MAP = {
+		TrueClass => [0, '_bool'],
+		FalseClass => [0, '_bool'],
+		Integer => [0, '_int8'],
+		String => [0, '_text'],
+		Float => [0, '_float8'],
+		BigDecimal => [0, '_numeric'],
+		Time => [0, '_timestamptz'],
+		IPAddr => [0, '_inet'],
+	}
+
+end

data/lib/pg/basic_type_map_for_results.rb

@@ -0,0 +1,81 @@
+# -*- ruby -*-
+# frozen_string_literal: true
+
+require 'pg' unless defined?( PG )
+
+# Simple set of rules for type casting common PostgreSQL types to Ruby.
+#
+# OIDs of supported type casts are not hard-coded in the sources, but are retrieved from the
+# PostgreSQL's +pg_type+ table in PG::BasicTypeMapForResults.new .
+#
+# Result values are type casted based on the type OID of the given result column.
+#
+# Higher level libraries will most likely not make use of this class, but use their
+# own set of rules to choose suitable encoders and decoders.
+#
+# Example:
+#   conn = PG::Connection.new
+#   # Assign a default ruleset for type casts of output values.
+#   conn.type_map_for_results = PG::BasicTypeMapForResults.new(conn)
+#   # Execute a query.
+#   res = conn.exec_params( "SELECT $1::INT", ['5'] )
+#   # Retrieve and cast the result value. Value format is 0 (text) and OID is 20. Therefore typecasting
+#   # is done by PG::TextDecoder::Integer internally for all value retrieval methods.
+#   res.values  # => [[5]]
+#
+# PG::TypeMapByOid#build_column_map(result) can be used to generate
+# a result independent PG::TypeMapByColumn type map, which can subsequently be used
+# to cast #get_copy_data fields:
+#
+# For the following table:
+#   conn.exec( "CREATE TABLE copytable AS VALUES('a', 123, '{5,4,3}'::INT[])" )
+#
+#   # Retrieve table OIDs per empty result set.
+#   res = conn.exec( "SELECT * FROM copytable LIMIT 0" )
+#   # Build a type map for common database to ruby type decoders.
+#   btm = PG::BasicTypeMapForResults.new(conn)
+#   # Build a PG::TypeMapByColumn with decoders suitable for copytable.
+#   tm = btm.build_column_map( res )
+#   row_decoder = PG::TextDecoder::CopyRow.new type_map: tm
+#
+#   conn.copy_data( "COPY copytable TO STDOUT", row_decoder ) do |res|
+#     while row=conn.get_copy_data
+#       p row
+#     end
+#   end
+# This prints the rows with type casted columns:
+#   ["a", 123, [5, 4, 3]]
+#
+# See also PG::BasicTypeMapBasedOnResult for the encoder direction and PG::BasicTypeRegistry for the definition of additional types.
+class PG::BasicTypeMapForResults < PG::TypeMapByOid
+	include PG::BasicTypeRegistry::Checker
+
+	class WarningTypeMap < PG::TypeMapInRuby
+		def initialize(typenames)
+			@already_warned = Hash.new{|h, k| h[k] = {} }
+			@typenames_by_oid = typenames
+		end
+
+		def typecast_result_value(result, _tuple, field)
+			format = result.fformat(field)
+			oid = result.ftype(field)
+			unless @already_warned[format][oid]
+				warn "Warning: no type cast defined for type #{@typenames_by_oid[oid].inspect} format #{format} with oid #{oid}. Please cast this type explicitly to TEXT to be safe for future changes."
+				 @already_warned[format][oid] = true
+			end
+			super
+		end
+	end
+
+	def initialize(connection_or_coder_maps, registry: nil)
+		@coder_maps = build_coder_maps(connection_or_coder_maps, registry: registry)
+
+		# Populate TypeMapByOid hash with decoders
+		@coder_maps.each_format(:decoder).flat_map{|f| f.coders }.each do |coder|
+			add_coder(coder)
+		end
+
+		typenames = @coder_maps.typenames_by_oid
+		self.default_type_map = WarningTypeMap.new(typenames)
+	end
+end